1. Technical Field
The present disclosure relates to technology enabling authentication between server and client devices using digital certificates when connecting to a network. More particularly, the invention relates to a communication device, a printer, and a control method therefore that perform authentication using digital certificates.
2. Related Art
When connecting to a network, devices (client devices) that send and receive data through the network may use various methods of authentication using digital certificates with an authentication server. For example, in authentication using the EAP-TLS authentication protocol, the client performs client-side server authentication that inspects the authentication server when the client connects to a network. For server authentication, the client inspects the server certificate, which is the digital certificate of the authentication server. The server certificate contains information such as the validation period and signature of the certificate authority, and the client inspects the content of the server certificate. If the client successfully authenticates the server certificate, and the authentication server successfully authenticates the client, the network connection service starts. The server certificate is provided to the client in advance by some other means.
During server authentication, the client verifies if the server certificate is valid or has expired. This validation test checks if the validity period contained in the server certificate matches the time information (current time) maintained by the client. More specifically, the client determines if the current time is a time within the validity period of the server certificate. If the client has an internal clock, the client can use the time indicated by the internal clock for testing the validity period. However, if the internal clock of the client stops when the power turns off, for example, the time indicated by the internal clock when the client turns on again may differ from the correct current time. When this happens, the validity period cannot be correctly tested, and a server certificate that has exceeded the validity period (has expired) may be erroneously determined to still be valid. If the internal clock of the client is simply wrong, a server certificate with an impossible validity period (such as a server certificate that has not been issued yet and has a validity period in the future) may be erroneously determined to be valid.
When the client has an internal clock that is not operating correctly or the client does not have an internal clock, the client cannot correctly check the validity period using only information on the client side. The client must therefore be able to acquire the correct current time by some means. One source of correct current time information is an NTP server connected to the network, but a client that cannot connect to the network unless server authentication is successful cannot acquire the current time from an NTP server on the network.
To solve this problem, JP-A-2010-193158 describes a client that, when it does not have the correct current time information, performs a temporary authentication that checks the trustworthiness of other information without verifying the validity period, and if this temporary authentication is successful, connects to the network and acquires the correct time information from a time server on the network. The client then checks the trustworthiness of the server certificate by attempting normal authentication including testing the validity period using the acquired time information.
In the authentication method disclosed in JP-A-2010-193158, the correct current time can be acquired through the network, and the validity period can be tested based on this time. The validity period of the server certificate can therefore be correctly verified even when the client does not have an internal clock or the time kept by the internal clock is wrong, and security can be assured when connecting to a network. However, with the method disclosed in JP-A-2010-193158, the client connects to the network without verifying the validity period of the server certificate. The client can therefore connect to the network even when a server certificate that is no longer valid is received, and security can therefore not be assured. In addition, because the client connects to the network to detect if the validity period has expired, processing time is wasted and efficiency is poor.
In addition to the two-step authentication method described in JP-A-2010-193158, another method of testing the validity period requires the network administrator to inform the user of a client device that connects to the network of a time within the validity period of the server certificate, and the user to manually set the time. If the reported time is stored and saved on the client, time verification will not fail until the server certificate is updated, and normal authentication alone will suffice. However, every time the server certificate is renewed with this method, the users must manually update the time setting on all of the many clients using the same server certificate. This imposes a heavy burden on the users, and increases operating costs.